What does a package manager match mean?

If a dependency component has a Matched status with a NOT IN NVD token and a matching token of one of our supported package managers (Cargo, NPM, NuGet, Pypi), this means that no vulnerabilities have been reported in the NVD, but that your software does exist in the package manager. This generally means that there are no known vulnerabilities for that dependency component.

Note: In order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM, as this feature is not retroactive. Alternately, you will shortly be able to edit a particular dependency component to add or change a PURL string.